Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor Threat Detection 7.4 - User Guide

Table of Contents

Introduction to Change Auditor Threat Detection

Overview Which Change Auditor modules are monitored? Threat Detection server events Threat detection concepts

Baselines Threat indicators SMART alerts Risk scoring

Threat Detection process

Using the Threat Detection Dashboard

Deployment and installation Accessing the dashboard Overview tab

High Risk Users SMART Alerts All Users Alerts Status Alerts Severity

Risk Navigator User severity calculation

Alert severity calculation Alert List Alert Filter How to perform an alert investigation

Common functions

Alert and indicator reference

Alert types Threat indicators Our brand, our vision. Together. Contacting Quest Technical support resources

Threat indicators

The following tables contain indicators (and the alert that they are associated with) available for each Change Auditor subsystem:

Table 2. Change Auditor for Windows File Servers, NetApp, and EMC
Indicator Name	Alert Name	Description
Abnormal File Access Time	Non-Standard Hours	A user accessed a file at an abnormal time.
Abnormal File Access Permission Change	Mass Permission Changes	A user changed multiple share permissions.
Abnormal File Access Event	Abnormal File Access	A user accessed a file abnormally.
Multiple File Access Permission Changes	Mass Permission Changes	A user changed multiple file share permissions.
Multiple File Access Events	Snooping User	A user accessed multiple file share permissions.
Multiple Failed File Access Permission Changes	Mass Permission Changes	A user failed multiple times to change file access permissions.
Multiple Failed File Access Events	Snooping User	A user failed multiple times to access a file.
Multiple File Open Events	Snooping User	A user opened multiple files.
Multiple Folder Open Events	Snooping User	A user opened multiple folders.
Multiple File Delete Events	Abnormal File Access	A user deleted multiple files.
Multiple File Rename Events	Mass File Rename	A user renamed multiple files.
Excessive Number of Files Moved from File System	Data Exfiltration	A user moved multiple files from a shared drive.
Excessive Number of Files Moved to File System	Data Exfiltration	A user moved multiple files to a shared drive.

Table 3. Change Auditor for Active Directory
Indicator Name	Alert Name	Description
Abnormal Active Directory Change Time	Non-Standard Hours	A user made Active Directory changes at an abnormal time.
Abnormal Active Directory Change	Abnormal AD Changes	A user made an abnormal change to AD attribute.
Abnormal Site	Abnormal Site Access	A user logged on from a computer in an abnormal site.
Multiple Member Additions to Enterprise Critical Groups See the list of groups in the Change Auditor for Active Directory Event Reference Guide for "Member Added to Critical Enterprise Group”.	Mass Changes to Critical Enterprise Groups	A user successfully made multiple changes to sensitive groups.
Multiple Group Membership Changes	Mass Changes to Groups	A user successfully made multiple changes to groups.
Multiple Account Management Changes	Abnormal AD Changes	A user successfully made multiple Active Directory changes.
Multiple User Account Management Changes	Abnormal AD Changes	A user successfully made multiple sensitive Active Directory changes.
Multiple Failed Account Management Changes	Abnormal AD Changes	A user failed to make multiple Active Directory changes.
Admin Password Changed	Admin Password Change	An admin's password was changed.
User Account Enabled	Sensitive User Status Changes	A user enabled another user account.
User Account Disabled	Sensitive User Status Changes	A user disabled another user account.
User Account Unlocked	Sensitive User Status Changes	A user unlocked another user account.
User Account Type Changed	Sensitive User Status Changes	A user account type was changed by another user account.
User Account Locked	Sensitive User Status Changes	A user locked another user account.
User Password Never Expires Option Changed	Sensitive User Status Changes	A user password policy was changed by another user account.
User Password Changed by Non-Owner	Sensitive User Status Changes	A user's password was changed by non-owner.
User Password Changed	Sensitive User Status Changes	A user changed the password for another user account.
Member Added to Critical Enterprise Group	Elevated Privileges Granted	A user was added to a privileged group.

Table 4. Change Auditor for Logon Activity
Indicator Name	Alert Name	Description
Abnormal Logon Time	Non-Standard Hours	A user logged on at an abnormal time.
Abnormal Remote Computer	User Login to Abnormal Remote Host	A user attempted to remotely access an abnormal computer.
Abnormal Computer	User Login to Abnormal Host	A user attempted to access an abnormal computer.
Multiple Successful Authentications	Multiple Logons by User	A user logged on multiple times.
Multiple Failed Authentications	Multiple Failed Logons	A user failed to log on multiple times.
Logged into Multiple Domains	User Logins to Multiple AD Sites	A user attempted to log on to multiple domains.
Logged onto Multiple Computers	User Logged into Multiple Hosts	A user attempted to log on from multiple computers.

Our brand, our vision. Together.

Our logo reflects our story: innovation, community and support. An important part of this story begins with the letter Q. It is a perfect circle, representing our commitment to technological precision and strength. The space in the Q itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.

Contacting Quest

For sales or other inquiries, visit www.quest.com/contact.

Technical support resources

Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

•

Submit and manage a Service Request.

•

View Knowledge Base articles.

•

Sign up for product notifications.

•

Download software and technical documentation.

•

View how-to-videos.

•

Engage in community discussions.

•

Chat with support engineers online.

•

View services to assist you with your product.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center